More on Shortcuts to Discovering New Ways
to Break into Computers
___________________________________________________________
*** Disassemblers and Decompilers
___________________________________________________________

Many companies, for example Microsoft, ship products that
hide what appear to be an almost infinite number of break-in
vulnerabilities. They try to hide these problems by keeping their
source code secret. Indeed, this does make your job harder but
not impossible. In fact, it might even be easier because these
programs usually have many more hidden flaws than programs for
which you can get source code.

One solution to lack of source code is get it anyhow. Nope,
I am not suggesting that you steal code. There are legal, fun
ways to get it (sometimes). A disassembler program can take a
compiled program and convert it into assembly language, which
a sufficiently talented programmer can analyze. The problem with
disassemblers is that they can only process small programs. Despite
this, they are still the tools of choice to analyze worms, viruses,
CGI and other small programs.
___________________________________________________________Newbie note: Assembly language is specific
to a type of central processing unit (CPU). The assembly language
for a Motorola PowerPC CPU (used by Apple computers) is different
from that used by the Intel compatible CPUs, and both of these
are different from the assembly language used by Sun SPARC CPUs.
___________________________________________________________

The big problem with using a disassembler is that assembly
code takes a lot of brain power to understand. If at all possible,
you want to get source code in a high level language because
it is much easier to understand. They have obvious commands such
as "goto" (for example in FORTRAN), "include"
(for example in C) or "macrocopy" (MS Office macro
programming). By contrast, examples of assembly language commands
are "je" and "lea".

It's pretty hard go through the output of a disassembler or
even a decompiler and figure our what represents security flaws.
Oftentimes it is easier to find flaws by running a program through
a debugger, which operates a program one step at a time and allows
you to view what is in memory at each step. Of course, you need
to understand what all those things in memory mean: another good
excuse to get that college degree!

Some programs are staggeringly large. The Windows XP operating
systems confront the analyst/hacker with forty million lines
of code. No decompiler or even debugger can do much with such
a big program. Nevertheless, there are ways to get around this.

A program that automatically tests suspect code with "fault
injection" tools will often discover security flaws. Fault
injection means entering data or commands to the program that
cause bugs to show up. Examples are a database query that commands
the server to erase everything, or a ridiculously long web browser
URL that infects a webserver with a worm, as was the case with
the Nimda and various Code Red worms.